Two issues found dogfooding mcp__pare-test__run (pytest) on Chipzen. Env: Windows 11, pytest 9.0.x, Python 3.13.
1. args blanket-rejects any value starting with -
args: ["-p", "no:logfire"] → Invalid args: "-p". Values must not start with "-" to prevent argument injection.
This blocks legitimate, required pytest flags. Chipzen MUST run with -p no:logfire because a broken logfire pydantic plugin raises an ImportError at collection time otherwise. There is no other param to pass a plugin-disable (or -x, -k, -q, etc.).
Suggested fixes (any of):
- per-token validation / allowlist of known-safe flags rather than a blanket
- reject;
- a dedicated
plugins: ["no:logfire"] and/or pytestArgs passthrough that maps to -p;
- accept
--args when they match ^-{1,2}[A-Za-z0-9][\w:.=-]*$ (no shell metachars).
2. run reports a green-looking 0/0/0 when collection finds nothing / fails
run({framework:"pytest", filter:"tests/test_seed_e2e_approved_bots.py"}) → {total:0,passed:0,failed:0,skipped:0,failures:[]}.
But python -m pytest tests/test_seed_e2e_approved_bots.py -p no:logfire -q directly → 3 passed.
So either filter didn't map to a collectable path arg, or collection failed (likely the same logfire plugin import error) and was swallowed into a 0/0/0 that looks like success. Expectation: surface collection errors and return non-success when nothing was collected — a silent 0/0/0 is indistinguishable from "all green" to a caller.
Two issues found dogfooding
mcp__pare-test__run(pytest) on Chipzen. Env: Windows 11, pytest 9.0.x, Python 3.13.1.
argsblanket-rejects any value starting with-args: ["-p", "no:logfire"]→Invalid args: "-p". Values must not start with "-" to prevent argument injection.This blocks legitimate, required pytest flags. Chipzen MUST run with
-p no:logfirebecause a brokenlogfirepydantic plugin raises anImportErrorat collection time otherwise. There is no other param to pass a plugin-disable (or-x,-k,-q, etc.).Suggested fixes (any of):
-reject;plugins: ["no:logfire"]and/orpytestArgspassthrough that maps to-p;--args when they match^-{1,2}[A-Za-z0-9][\w:.=-]*$(no shell metachars).2.
runreports a green-looking0/0/0when collection finds nothing / failsrun({framework:"pytest", filter:"tests/test_seed_e2e_approved_bots.py"})→{total:0,passed:0,failed:0,skipped:0,failures:[]}.But
python -m pytest tests/test_seed_e2e_approved_bots.py -p no:logfire -qdirectly → 3 passed.So either
filterdidn't map to a collectable path arg, or collection failed (likely the same logfire plugin import error) and was swallowed into a 0/0/0 that looks like success. Expectation: surface collection errors and return non-success when nothing was collected — a silent0/0/0is indistinguishable from "all green" to a caller.